UPDATE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities

From: Sune Kloppenborg Jeppesen (jaervosz_at_gentoo.org)
Date: 09/03/04

  • Next message: Pierquinto Manco: "[XSS] PHP-Nuke 7.4 Remote Privilege Escalation"
    To: gentoo-announce@gentoo.org
    Date: Fri, 3 Sep 2004 11:38:44 +0200
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200408-22
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Severity: Normal
         Title: Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New
                releases fix vulnerabilities
          Date: August 23, 2004
          Bugs: #57380, #59419
            ID: 200408-22

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    New releases of Mozilla, Epiphany, Galeon, Mozilla Thunderbird, and
    Mozilla Firefox fix several vulnerabilities, including remote DoS and
    buffer overflows.

    Background
    ==========

    Mozilla is a popular web browser that includes a mail and newsreader.
    Galeon and Epiphany are both web browsers that use gecko, the Mozilla
    rendering engine. Mozilla Firefox is the next-generation browser from
    the Mozilla project that incorporates advanced features that are yet to
    be incorporated into Mozilla. Mozilla Thunderbird is the
    next-generation mail client from the Mozilla project.

    Affected packages
    =================

        -------------------------------------------------------------------
         Package / Vulnerable / Unaffected
        -------------------------------------------------------------------
      1 mozilla < 1.7.2 >= 1.7.2
      2 mozilla-firefox < 0.9.3 >= 0.9.3
      3 mozilla-thunderbird < 0.7.3 >= 0.7.3
      4 mozilla-bin < 1.7.2 >= 1.7.2
      5 mozilla-firefox-bin < 0.9.3 >= 0.9.3
      6 mozilla-thunderbird-bin < 0.7.3 >= 0.7.3
      7 epiphany < 1.2.7-r1 >= 1.2.7-r1
      8 galeon < 1.3.17 >= 1.3.17
        -------------------------------------------------------------------
         8 affected packages on all of their supported architectures.
        -------------------------------------------------------------------

    Description
    ===========

    Mozilla, Galeon, Epiphany, Mozilla Firefox and Mozilla Thunderbird
    contain the following vulnerabilities:

    * All Mozilla tools use libpng for graphics. This library contains a
      buffer overflow which may lead to arbitrary code execution.

    * If a user imports a forged Certificate Authority (CA) certificate,
      it may overwrite and corrupt the valid CA already installed on the
      machine.

    Mozilla, Mozilla Firefox, and other gecko-based browsers also contain a
    bug in their caching which may allow the SSL icon to remain visible,
    even when the site in question is an insecure site.

    Impact
    ======

    Users of Mozilla, Mozilla Firefox, and other gecko-based browsers are
    susceptible to SSL certificate spoofing, a Denial of Service against
    legitimate SSL sites, crashes, and arbitrary code execution. Users of
    Mozilla Thunderbird are susceptible to crashes and arbitrary code
    execution via malicious e-mails.

    Workaround
    ==========

    There is no known workaround for most of these vulnerabilities. All
    users are advised to upgrade to the latest available version.

    Resolution
    ==========

    All users should upgrade to the latest stable version:

        # emerge sync

        # emerge -pv your-version
        # emerge your-version

    References
    ==========

      [ 1 ] CAN-2004-0763
            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763
      [ 2 ] CAN-2004-0758
            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758
      [ 3 ] CAN-2004-0597
            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
      [ 4 ] CAN-2004-0598
            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
      [ 5 ] CAN-2004-0599
            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

      http://security.gentoo.org/glsa/glsa-200408-22.xml

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    License
    =======

    Copyright 2004 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/1.0
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBODukzKC5hMHO6rkRAhL8AJ4/Sv7xDRUIUyb/vJWqoAJK0Ft2QQCdHo3z
    ybxN9FXECqEJjWceB6uLR9M=
    =YKBA
    -----END PGP SIGNATURE-----


  • Next message: Pierquinto Manco: "[XSS] PHP-Nuke 7.4 Remote Privilege Escalation"

    Relevant Pages

    • [Full-disclosure] [ MDVSA-2012:013 ] mozilla
      ... Package: mozilla ... Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and ... enforce the IPv6 literal address syntax, which allows remote attackers ... version for Mandriva Linux 2011 which is required by firefox 10.0. ...
      (Full-Disclosure)
    • [ MDVSA-2012:013 ] mozilla
      ... Package: mozilla ... Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and ... enforce the IPv6 literal address syntax, which allows remote attackers ... version for Mandriva Linux 2011 which is required by firefox 10.0. ...
      (Bugtraq)
    • [Full-disclosure] [ GLSA 200808-03 ] Mozilla products: Multiple vulnerabilities
      ... Multiple vulnerabilities have been reported in Mozilla Firefox, ... Mozilla Firefox is an open-source web browser and Mozilla Thunderbird ... SeaMonkey project is a community effort to deliver production-quality ...
      (Full-Disclosure)
    • Re: html format question/ OOo
      ... >> or clear font) into the Writer doc. ... > across Mozilla, Firefox and Konqueror? ... > James Wilkinson | Why did the chicken cross the Möbius strip? ... Mozilla Firefox is the only browser I use right now. ...
      (Fedora)
    • [ GLSA 200808-03 ] Mozilla products: Multiple vulnerabilities
      ... Multiple vulnerabilities have been reported in Mozilla Firefox, ... Mozilla Firefox is an open-source web browser and Mozilla Thunderbird ... SeaMonkey project is a community effort to deliver production-quality ...
      (Bugtraq)